In 2025, commercial surveillance vendors surpassed nation-state actors as the leading source of attributed zero-day exploitation — the first time that milestone had been reached since Google began tracking the category. Understanding how these vendors assemble, deliver, and conceal their tools is no longer optional background knowledge for defenders. It is a prerequisite. Several findings in this area are accurate but actively debated online, with conflicting framings circulating across coverage. Where that is the case, this article flags it directly and explains what the primary sources actually say.
If you need a primer on what commercial surveillance vendors are and how the industry is structured, the kandibrian.com guide to commercial surveillance vendors covers the regulatory landscape, major players, and business model in detail. This article focuses specifically on the technical tooling side — the exploit frameworks, delivery mechanisms, evasion techniques, and detection tools that define the CSV threat in 2025 and 2026.
What CSV Tooling Actually Means
The term "CSV tooling" refers to the full technical stack that a commercial surveillance vendor provides to a paying customer. In the early years of the industry, some vendors sold isolated capabilities — a single exploit for a specific platform, or a basic implant with limited functionality. That model no longer reflects how sophisticated CSVs operate.
Google's Threat Intelligence Group (GTIG) described the modern CSV offering in its December 2025 Intellexa analysis as turn-key solutions covering the entire attack lifecycle: not just exploit chains, but the subsequent tools needed to identify targets, establish persistence, exfiltrate data, and maintain operational security. The capabilities that once required years of investment, deep technical expertise, and sustained intelligence resources are now sold as a service, often with operator dashboards, customer support, and update subscriptions.
The tooling stack a mature CSV deploys for a government customer is fully integrated across several layers:
- Recon Reconnaissance and target qualification frameworks profile the device model, OS version, and network environment before committing a high-value exploit — ensuring the payload is not wasted on an analysis sandbox.
- Delivery One-time links, malicious advertising networks, watering holes, or zero-click network injection get the initial access vector to the target without requiring interaction beyond receiving a message or loading a page.
- Implant The implant handles persistent access, communication with command-and-control servers, and data collection — typically surviving device reboot and cycling through multiple exfiltration channels.
- OpSec Operational security layers — URL randomization, geofencing, multi-tier anonymous C2 relays — protect both the vendor's infrastructure and the customer's identity from attribution.
What separates the leading CSV vendors from less capable operators is not simply the quality of individual exploits. It is the completeness and integration of the stack. A well-resourced CSV can acquire or develop a zero-day, qualify a target device without burning the exploit, deliver the payload through an appropriate vector, install an implant that survives device reboot, and maintain persistent covert access — all without the customer's technical staff needing to understand how any component works. The customer receives an operator console. The vendor manages everything else.
How Exploit Chains Are Built and Sold
The exploit acquisition model varies by vendor, but the capable CSVs maintain internal research teams whose sole function is discovering and weaponizing vulnerabilities before they are patched or disclosed. According to GTIG's December 2025 analysis, Intellexa accounts for 15 unique zero-day vulnerabilities discovered by GTIG and its predecessor Google Threat Analysis Group since 2021 — including Remote Code Execution (RCE), Sandbox Escape (SBX), and Local Privilege Escalation (LPE) vulnerabilities. GTIG observed that Intellexa has demonstrated the ability to rapidly develop new exploits using all three classes, often adapting within weeks when platform vendors deploy mitigations. This kind of velocity requires sustained engineering investment and access to a pipeline of undisclosed vulnerabilities.
Some vendors supplement internal research by purchasing vulnerabilities from brokers or independent researchers. GTIG has noted increasing evidence that Intellexa is purchasing individual steps of exploit chains from external entities — for example, the iOS JSKit framework used against Egyptian targets in 2023 had previously been used by Russian government-backed attackers against Mongolian government websites, suggesting the framework originated with a third party that supplied multiple customers. Zerodium, a prominent broker, has publicly listed up to $2 million for zero-click full-chain iOS exploits with persistence — and up to $2.5 million for the Android equivalent. Actual transaction prices in the commercial market for weaponized full-chain iOS zero-click exploits are estimated substantially higher, in the $5–7 million range for 2024–2025 according to market analysis, reflecting both increasing platform security and the competition from legitimate bug bounty programs. A weaponized Chrome RCE with sandbox bypass has been estimated in the range of $100,000 to $300,000 for a platform-deployable version — pricing that limits the buyer pool to well-funded governments and their proxies.
The delivery mechanism has diversified considerably. Amnesty International's Security Lab describes Intellexa's primary delivery model as one-time links sent over encrypted messaging apps — a user clicks, the exploit fires, and the implant is installed. The one-time link model is a deliberate counter-forensics choice: the fewer copies of an active exploit link that circulate, the harder it is for researchers to capture and analyze.
In 2025, Intellexa expanded significantly into a second delivery vector: the commercial mobile advertising ecosystem. GTIG confirmed that Intellexa had begun abusing ads on third-party platforms to fingerprint visitors and redirect those who match target profiles to exploit delivery servers. Leaked Intellexa documents published in December 2025 by Inside Story, Haaretz, and the WAV Research Collective revealed the existence of a named system for this capability: "Aladdin." Amnesty International's Security Lab described Aladdin as a mechanism that forces a malicious advertisement to appear on the target's device through any website or application that displays ads, adding that simply viewing the advertisement is sufficient to trigger the infection without any click required. GTIG identified two Intellexa-linked advertising entities — Pulse Advertise and MorningStar TEC — that had been created to access the advertising ecosystem; those accounts were subsequently shut down by platform partners after GTIG's disclosure.
Physical access vectors remain available as a fallback. USB injection tools and forensic devices exist for installing implants at border crossings or checkpoints where network delivery is unavailable or where a device must be accessed directly.
Once installed, spyware implants communicate with C2 infrastructure deliberately designed to resist attribution. GTIG documented that Intellexa's Predator uses a multi-tier network that routes through layers of anonymizing servers owned by third-party companies, making it harder for network defenders to trace activity back to the vendor or customer. Implant traffic moves over HTTPS and SSH to blend with normal encrypted web traffic. Geofencing logic causes the implant to go dormant or self-destruct when it detects an analysis environment outside the target region.
A significant revelation from the December 2025 Intellexa Leaks investigation: Amnesty International's Security Lab found evidence that Intellexa retained direct remote access — via TeamViewer — to live surveillance systems hosted on customers' premises, including within government facilities. This means the vendor maintained visibility into surveillance operations being conducted by its clients and into the identities of targeted individuals. The Amnesty researchers described this as raising direct questions about Intellexa's own human rights due diligence practices.
Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in the wild in 2025 — up from 75 in 2024. Of the 42 for which attribution was confirmed, 15 were definitively attributed to commercial surveillance vendors and three more were assessed as likely CSV use, giving CSVs a total of 18. State-sponsored espionage groups accounted for 12 confirmed attributions plus three likely, totaling 15. Financially motivated actors were behind nine. This was the first time since GTIG began tracking that CSVs had led the count. Source: Google GTIG, "Look What You Made Us Patch: 2025 Zero-Days in Review," March 2026.
Some coverage frames this as "commercial spyware vendors are now the biggest threat." That framing is imprecise, and here is why it matters. The CSV lead applies only within the attributed subset of zero-days — 42 of 90 had any attribution at all. GTIG is explicit that its numbers reflect detected and disclosed zero-days and may not capture all exploitation. GTIG also notes that CSVs are increasing their operational security practices, which likely reduces attribution and detection. In other words, the CSV count of 18 is a floor, not a ceiling. China-nexus groups, with at least 10 attributed zero-days, remained the single most prolific state-sponsored exploiters — and GTIG notes that edge device exploitation by these groups is likely underrepresented because detection on routers and appliances is weak. The CSV-leads-nation-states headline is accurate within its defined scope. It should not be read as meaning CSVs are more dangerous than state actors in absolute terms — state actors continue to dominate enterprise and network infrastructure exploitation.
Intellexa, PREYHUNTER, and the Aladdin Delivery System
Intellexa is the most documented CSV case study currently available to the public, and its technical architecture illustrates the engineering depth characteristic of the leading vendors in this market. GTIG's December 2025 analysis — published alongside coordinated reports from Recorded Future's Insikt Group and Amnesty International — provides the sharpest picture yet of how a full-chain commercial spyware operation is structured at the component level.
Predator's documented three-stage delivery chain illustrates the engineering integration characteristic of top-tier CSV tooling:
A modular JavaScript exploit framework GTIG assesses was acquired from an external source — the same framework has been observed used by other surveillance vendors and government-backed attackers since 2021, including by Russian-linked APT29 in watering hole attacks against Mongolian government websites in 2023–2024. JSKit parses in-memory binaries, resolves custom symbols, and supports multiple PAC (Pointer Authentication Code) bypass variants, enabling native code execution across a wide range of iOS versions. GTIG recovered debug strings indicating Intellexa held at least seven distinct iOS exploit variants within this framework.
Breaks out of the Safari browser sandbox and escalates privileges to system level. In the documented 2023 Egypt campaign, this stage used CVE-2023-41991 — a certificate validation bypass in the iOS Security framework (CoreTrust) that allows a malicious app to bypass signature validation — chained with CVE-2023-41992, a kernel local privilege escalation, to obtain kernel memory read/write capabilities. These primitives were then passed to Stage 3. The second stage reuses the PAC bypass from Stage 1, making the chain tightly integrated across all three components.
The final delivered component, consisting of two modules: helper (payload loader) and watcher (anti-analysis engine). The watcher monitors for developer mode activation, debugger attachment, security applications, and network interception. Jamf Threat Labs documented its error code taxonomy in January 2026: 304 = active security tools detected; 310 = debug console attached. Even running netstat triggers abort. If the watcher fires, the operator receives the specific error code and can adapt targeting — the device is not lost, just deferred.
Once a device is successfully compromised, Predator collects from the device and exfiltrates to an attacker-controlled server:
Predator's marketing materials explicitly advertise access to Signal — a commonly cited safe messaging application — without any indication of how that access is obtained. The leaked documents show Intellexa retaining remote access to customer surveillance dashboards through TeamViewer, including logs showing surveillance targets, even when those systems were hosted in government facilities in countries where Intellexa operates.
Intellexa's ongoing activity demonstrates that US Treasury OFAC sanctions imposed in March and September 2024 — targeting the corporate entities and seven executives associated with the consortium — have not significantly disrupted operations. Recorded Future's Insikt Group reported in June 2025 that active Predator infrastructure remained in use across more than a dozen countries, primarily in Africa, with customers in Saudi Arabia, Kazakhstan, Angola, and Mongolia still communicating with Predator's multi-tier infrastructure as of mid-2025.
Online coverage of US OFAC sanctions against Intellexa frequently frames them as impactful actions against the spyware industry. The documented operational evidence points in the opposite direction. Intellexa's multi-entity structure — spanning Ireland, Greece, Hungary, North Macedonia, and other jurisdictions — was engineered with regulatory resilience in mind. When one entity faces sanctions or legal pressure, activity migrates to others. Recorded Future's June 2025 analysis found continued infrastructure activity across more than a dozen countries after both waves of US sanctions had been applied. The Intellexa Leaks investigation, published December 2025, documented active Predator deliveries in Pakistan. GTIG's December 2025 report noted that Intellexa "continues to deliver extremely capable spyware to high paying customers." This is not a dismissal of sanctions as a policy tool — the Williams prosecution and the NSO WhatsApp case show civil and criminal litigation can impose real costs. The point is that unilateral sanctions without coordinated enforcement across Intellexa's operating jurisdictions have not disrupted the vendor's operational capability in any documented way. That is the accurate characterization, and it is different from what some coverage implies.
Tooling in the Wild: Coruna, DarkSword, and the Proliferation Problem
The clearest available illustration of what happens when CSV tooling escapes controlled deployment is not hypothetical — it played out in documented stages across 2025 and into early 2026, driven by two named iOS exploit frameworks: Coruna and DarkSword.
Coruna: From Surveillance Operation to Mass Criminal Campaign
GTIG first captured elements of Coruna in February 2025, when researchers recovered fragments of an iOS exploit chain in use by a customer of a commercial surveillance company. The framework opened with a fingerprinting module that collected data points to determine whether the device was real, identified the specific iPhone model and iOS software version, and then silently delivered the appropriate WebKit remote code execution exploit for that configuration. The initial exploit GTIG captured targeted CVE-2024-23222, a WebKit vulnerability that Apple had patched in iOS 17.3 in January 2024 without crediting any external researcher — a pattern associated with vendor-reported zero-days.
GTIG did not immediately recover the full kit. That came in December 2025, when the same obfuscated JavaScript framework appeared on a network of fake Chinese websites styled as cryptocurrency exchanges and financial platforms. Because one of the actors deployed a debug version of the kit, GTIG recovered the full codebase including exploit code names and the internal name of the framework itself: Coruna.
The complete kit contained five full iOS exploit chains using a total of 23 individual exploits targeting iOS versions 13 through 17.2.1. The exploit list included both CVE-tracked vulnerabilities and flaws never assigned CVE identifiers. Key documented exploits:
| CVE | Component | Note |
|---|---|---|
| CVE-2024-23222 | WebKit type confusion | RCE on iOS 17.2.1; patched in iOS 17.3, Jan 2024 — no external researcher credited |
| CVE-2022-48503 | WebKit | Added to CISA KEV catalog October 2025 |
| CVE-2023-43000 | WebKit use-after-free | Fixed iOS 16.6; CVE entry added November 2025; CISA KEV March 2026 |
| CVE-2023-32434 | iOS kernel | Also used in Operation Triangulation (2023) |
| CVE-2023-38606 | iOS kernel | Also used in Operation Triangulation; exploits undocumented hardware feature |
| CVE-2023-41974 | Kernel (UAF) | CISA KEV March 2026; remediation deadline March 26, 2026 |
| CVE-2021-30952 | WebKit | CISA KEV March 2026; remediation deadline March 26, 2026 |
GTIG described the more advanced exploits in the kit as using non-public exploitation techniques and mitigation bypasses, with extensive inline documentation including docstrings and comments authored in native English. The sophistication of the documentation is consistent with a professional development operation rather than opportunistic assembly.
Coruna migrated across three distinct threat actors in under a year:
-
February 2025
Unnamed CSV Customer — Targeted Surveillance
GTIG recovered fragments of an iOS exploit chain in use by a customer of a commercial surveillance company. Geofenced delivery, device fingerprinting, single CVE captured: CVE-2024-23222.
-
July 2025
UNC6353 — Suspected Russian Espionage
Same JavaScript framework appeared as a hidden iframe on compromised Ukrainian websites spanning industrial equipment, retail, local services, and e-commerce. Delivered only to geofenced iPhone users. CVEs deployed: CVE-2024-23222, CVE-2022-48503, CVE-2023-43000. GTIG worked with CERT-UA to clean up compromised sites.
-
December 2025
UNC6691 — Financially Motivated, China-Based
Full kit recovered from a network of fake Chinese cryptocurrency exchange sites. Geofencing removed entirely — maximum volume over targeting precision. Final payload: PLASMAGRID, targeting 18 cryptocurrency wallet apps. Debug version deployed by this actor allowed GTIG to recover the full codebase and the kit's internal name.
The final payload delivered in the UNC6691 campaign — tracked by GTIG as PLASMAGRID — illustrates how the same exploitation infrastructure can be repurposed for entirely different objectives. PLASMAGRID injects itself into the iOS powerd daemon running as root, then downloads modules targeting 18 cryptocurrency wallet applications:
It scans images for QR codes and parses Apple Notes for wallet seed phrases and strings such as "backup phrase" and "bank account." The code comments are written in Chinese and some appear to have been generated with large language model assistance. This is not surveillance spyware — it is a cryptocurrency theft tool built on top of nation-state-grade iOS exploitation infrastructure.
iVerify co-founder Rocky Cole assessed that the Coruna framework has similarities to tools developed by actors affiliated with the U.S. government, and suggested the kit had likely been originally developed by a government contractor before migrating to brokers and then to the secondary market. GTIG declined to make a public attribution on origin. Both organizations agreed on the structural point: the commercial surveillance industry's secondary markets created the proliferation pathway.
There are two separate contested questions here, and they are often conflated online. The first is who developed Coruna. The second is whether Coruna shares code with Operation Triangulation.
On origin: TechCrunch reported in March 2026 that two former employees of L3Harris's offensive cyber division, Trenchant, independently recognized Coruna artifacts and internal naming conventions, with one confirming "Coruna was definitely an internal name of a component." Coruna's exploit naming uses bird species — Cassowary, Terrorbird, Bluebird, Jacurutu, Sparrow, Photon, Gallium — consistent with Trenchant's known convention; their previously documented exploit chain was named Condor. Separately, Peter Williams, former general manager of L3Harris Trenchant, was sentenced in early 2026 to 87 months in federal prison for stealing at least eight zero-day exploits from the company and selling them to Operation Zero, a Russian exploit broker, for approximately $1.3 million in cryptocurrency. This provides a credible mechanism for how a US-origin kit reached Russian espionage actors. However: L3Harris has not confirmed any connection to Coruna, GTIG made no attribution to any developer, and the former employees' statements were characterizations of technical familiarity, not formal disclosures. iVerify called the US government origin "highly likely" — not confirmed. We report the L3Harris/Trenchant connection here as a credibly sourced allegation, not established fact.
On Operation Triangulation code overlap: Some researchers, including iVerify and analysts at Dark Reading, identified engineering patterns and module names (Photon, Gallium, Plasma) shared between Coruna and the Operation Triangulation campaign Kaspersky discovered in 2023. Kaspersky principal researcher Boris Larin explicitly disputed this inference in a statement to The Hacker News: "Neither Google nor iVerify in their published research claims that Coruna reuses Triangulation's code. What they identify is that two exploits in Coruna — Photon and Gallium — target the same vulnerabilities. That's an important distinction. Attribution cannot be based solely on the fact of exploitation of these vulnerabilities." GTIG similarly acknowledged only that two Coruna CVEs (CVE-2023-32434 and CVE-2023-38606) overlap with Operation Triangulation vulnerabilities — not code. In a subsequent Dark Reading analysis, however, Kaspersky updated its position, stating that after further analysis it believed Coruna is "very much an outgrowth of Operation Triangulation" and that the malware had incorporated four new iOS kernel exploits on top of the Triangulation chassis. This article publishes that Coruna shares the Triangulation vulnerability targets, that both GTIG and iVerify identified structural similarities, and that the L3Harris/Trenchant connection is credibly sourced and widely reported — while noting that formal code-reuse attribution remains disputed and that GTIG has not made a developer attribution.
CISA added three Coruna-exploited vulnerabilities — CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000 — to its Known Exploited Vulnerabilities catalog on March 5–7, 2026, with a federal remediation deadline of March 26, 2026.
Multiple secondary sources cite a figure of 42,000 compromised iPhones in connection with the Coruna/UNC6691 campaign. This number originates from iVerify's own reporting and was quoted by iVerify CPO Spencer Parker, who described it as a "massive number" for iOS platforms and noted iVerify expected it to grow. However, iVerify's published technical disclosures present this as an estimate derived from infrastructure and IOC analysis — not a count of confirmed forensically verified infections. GTIG's primary report on Coruna does not provide a device compromise count. Given that the UNC6691 campaign operated without geofencing across a broad network of fake crypto sites, the true affected number is unknown. This article does not cite the 42,000 figure because it cannot be independently verified against a primary methodological source. If iVerify publishes a detailed methodology for that estimate, it warrants citation at that point.
DarkSword: The Second Framework
Within weeks of GTIG's Coruna disclosure, a second framework emerged. DarkSword — named from toolmarks recovered in captured payloads — targets iOS versions 18.4 through 18.7 using six documented vulnerabilities:
GTIG assessed that DarkSword had been in use since at least November 2025. Lookout, which discovered DarkSword while analyzing Coruna infrastructure, identified it as likely developed in the Gulf region, possibly by individuals previously associated with the DarkMatter Group.
GTIG observed multiple commercial surveillance vendors and state-sponsored actors using DarkSword in distinct campaigns targeting individuals in Saudi Arabia, Turkey, Malaysia, and Ukraine. UNC6353, the suspected Russian group that had already adopted Coruna, incorporated DarkSword into Ukrainian watering hole campaigns from December 2025 onward, deploying a malware family GTIG tracks as GHOSTBLADE — a JavaScript-based dataminer that collects and exfiltrates device data over HTTPS and includes code to delete crash reports. Apple addressed the DarkSword vulnerabilities and released patches for older iOS versions in a precedent-breaking out-of-band update.
DarkSword escalated the proliferation concern further when its full codebase appeared on GitHub. Lookout observed that both Coruna and DarkSword exhibit signs of code expansion using LLM assistance, particularly visible in DarkSword's inline code commentary.
Taken together, Coruna and DarkSword illustrate the structural problem: the same base capability can serve targeted surveillance, state espionage, and mass financial crime in sequence, with each successive actor requiring less technical capability than the last. The commercial surveillance industry's original customer was a government. Within a year of that first deployment, a Chinese criminal group running cryptocurrency scam sites was using the same iOS exploitation infrastructure.
Detection and Response Tools
The tooling built to detect commercial spyware is considerably less well-resourced than the tooling built to deploy it, but several effective instruments exist for defenders and forensic researchers. The Coruna disclosure produced coordinated IOC releases from GTIG, iVerify, and Amnesty International's Security Lab simultaneously — a detection response that was faster and more coordinated than previous CSV incidents and set a useful precedent for multi-party disclosure.
Mobile Verification Toolkit (MVT)
Amnesty International's Security Lab released MVT in 2021 as part of the forensic methodology developed during the Pegasus Project investigation. It remains the primary open-source forensic tool for detecting spyware on both iOS and Android devices. MVT scans device backups or full filesystem dumps against published indicators of compromise (IOCs) — including domain names used in CSV C2 infrastructure, process artifacts, and network traffic anomalies associated with known implants. For iOS devices, MVT can work with an encrypted iTunes backup or a full filesystem dump; for Android, it pairs with the AndroidQF acquisition tool. Both are maintained by Amnesty International and available via GitHub and PyPI.
One important caveat: MVT is a tool for forensic researchers and technically trained investigators, not a consumer self-assessment product. Amnesty's Security Lab notes explicitly that negative MVT results do not confirm a device is clean — sophisticated implants may evade detection if their IOCs have not been published. The PREYHUNTER watcher module documented in Predator by Jamf in January 2026 actively monitors for exactly the class of tools used in MVT-based investigations — including Frida instrumentation, network interception tools, and even netstat — and aborts deployment to avoid forensic discovery if they are detected. An implant that never fires against a researcher leaves no artifacts for MVT to find, and Predator operators are informed via error code (error 304 for active analysis tools, error 310 for debug console attachment) exactly why each deployment was aborted.
iVerify
iVerify offers both an enterprise mobile threat detection platform and a consumer-accessible basic app. Following the Coruna disclosure, iVerify published IOCs and a dedicated STIX2 file for MVT compatibility, and made its Basic app free to allow any user to check for Coruna-related indicators. iVerify's independent analysis of Coruna identified additional modules targeting WhatsApp beyond those documented by GTIG, and assessed the kit was in active development at the time of discovery. iVerify co-founder Rocky Cole described the case as the first time mass exploitation against iOS devices by a criminal group using nation-state-grade tools had been observed in public reporting. For organizations managing fleets of mobile devices, iVerify Enterprise provides real-time behavioral detection of sophisticated mobile threats including those in the CSV category. GTIG provides Coruna IOCs in a free collection on VirusTotal for registered users.
SpyGuard and Network Traffic Analysis
Network-layer detection using tools like SpyGuard can identify anomalies in encrypted traffic that may suggest an implant beaconing to C2 infrastructure, though sophisticated CSV implants employ protocol rotation and traffic blending techniques that make network-based detection increasingly difficult. PLASMAGRID — Coruna's final crypto-theft payload — exfiltrates data over HTTPS, blending with normal encrypted web traffic. Apple's Sysdiagnose collection capability can assist in capturing diagnostics for analysis by researchers with sufficient forensic context, though Predator's watcher monitors the diagnosticd filter file modification time relative to system boot time, triggering error 310 if console logging was enabled after boot — the exact pattern a researcher would follow.
Do not attempt self-assessment using MVT without technical guidance. Contact Amnesty International's Security Lab or Access Now's Digital Security Helpline for professional forensic support. These organizations provide confidential device analysis to civil society members who may be targets of commercial spyware. For Coruna and DarkSword specifically: update iOS to the latest available version immediately. If you cannot update, enable Lockdown Mode — both kits are engineered to abort execution on Lockdown Mode-enabled devices.
Apple spokesperson Sarah O'Rourke confirmed in March 2026 that Apple is not aware of any successful attack against a device running Lockdown Mode since the feature launched in iOS 16 in 2022. Amnesty International's Security Lab and Citizen Lab corroborate this, stating they found no evidence of Lockdown Mode devices being compromised in dozens of spyware investigations. Coruna and DarkSword both abort on Lockdown Mode-enabled devices — this is documented behavior, not a claim.
The nuance that gets lost in much online coverage: "no known successful attack" is not the same as "cannot be breached." Apple's language is deliberately precise on this point. Researchers consistently note that a breach could have occurred without being detected or disclosed, and that state-level intelligence agencies — whose capabilities and operational security substantially exceed those of commercial spyware vendors — operate under different constraints and do not typically appear in Citizen Lab or Amnesty reports. Lockdown Mode's surface area reduction works because it disables entire categories of functionality that exploits historically rely on. An attacker who needed those features can't use them. An attacker who can find a chain in what remains — a substantially smaller, simpler codebase — would still succeed. The economic calculus shifts significantly: building a reliable chain against a Lockdown Mode device costs far more than building one against a standard iOS device. That cost shift is real and meaningful for the population the feature was designed to protect. For the threat model most readers of this article face, that record is strong enough to recommend the feature without reservation for high-risk individuals. It is not strong enough to declare the problem solved.
How to Check a Device for Commercial Spyware
For technically capable researchers working with the open-source toolchain, the workflow proceeds as follows:
- Step 1 Install MVT from PyPI, following the documented dependencies for your operating system.
- Step 2 iOS: create an encrypted iTunes backup or a full filesystem dump. Android: use AndroidQF to capture a forensic snapshot.
- Step 3 Obtain the latest published IOCs from Amnesty International's Security Lab, iVerify, or Citizen Lab in STIX2 or MVT-compatible format — iVerify published a dedicated STIX2 file for Coruna IOCs compatible directly with MVT.
-
Step 4
Run
mvt-ios check-backupormvt-android check-backupagainst the device data, pointing to the IOC file. - Step 5 Review output carefully. Detections require further investigation. A clean result should be interpreted with appropriate uncertainty: detection evasion is an engineering priority for the vendors producing these tools, not an afterthought.
The Browser Attack Surface CSVs Rely On
CSVs have consistently prioritized mobile devices and browser exploit chains as their primary attack surface, in contrast to nation-state actors who have shifted heavily toward edge devices and security appliances. GTIG's 2025 data confirmed the divergence: state-sponsored espionage groups focused on routers, switches, VPN appliances, and security tools — the edge infrastructure that lacks endpoint detection and response coverage. CSVs focused on mobile operating systems and browsers, which is where high-value surveillance targets — journalists, activists, politicians, dissidents — are reachable.
Browser zero-days dropped to eight in 2025, a historic low and a meaningful decline from the peak years of 2021 and 2022. GTIG noted that browser hardening efforts have forced attackers to adjust — but the adjusted pattern is exploit chains requiring three or more chained vulnerabilities to achieve a single objective on mobile devices. This is expensive but not prohibitive for well-funded CSVs. When a single-bug exploitation path is closed by a vendor mitigation, the response from a capable CSV is not to abandon the surface — it is to chain another bug.
The drop in detected browser zero-days is real, but GTIG's own 2025 report qualifies what it means: the decline in detected browser exploitation "may also be a case of threat actors using more advanced evasion tactics and being better at hiding malicious activity." SecurityWeek reported the same caveat from GTIG directly: "While this can be an indicator of stronger browser security, it can also suggest that attacks are more sophisticated and harder to spot." Google's 2024 zero-day review made the same point, noting that CSVs "appear to be increasing their operational security practices, potentially leading to decreased attribution and detection." So there are two plausible explanations for the declining detected count: (1) browser hardening is working, raising the cost of exploitation; (2) sophisticated actors have improved their ability to conduct browser exploitation without triggering detection. Both can be simultaneously true. This article attributes the decline to hardening efforts while acknowledging that improved attacker OPSEC is a documented competing explanation from the same primary source. The practical implication for defenders does not change either way — patching remains essential, because a lower detected count does not mean exploitation has stopped.
The recent Chrome zero-day CVE-2026-5281 — a use-after-free in Chrome's WebGPU implementation (Dawn) — is a representative example of where that surface is expanding. WebGPU introduces complex memory interactions across renderer and GPU process boundaries; the same low-level, C++-implemented code paths that enable high-performance GPU access from web content create object lifetime management complexity where use-after-free conditions emerge. CVE-2026-5281 requires a prior renderer compromise to be useful, meaning it functions as the second link in a chain — exactly the compound exploitation model CSVs build their delivery frameworks around. CISA added CVE-2026-5281 to its Known Exploited Vulnerabilities catalog on April 1, 2026, with a federal remediation deadline of April 15, 2026.
The pattern of multiple Dawn use-after-free vulnerabilities fixed in a single Chrome release — CVE-2026-5281, CVE-2026-5284, and CVE-2026-5286 were all patched together on March 31, 2026 — reflects how subsystems with complex memory semantics generate clusters of related bugs. For defenders, it reinforces that browser patch velocity matters independently of whether a specific exploit is attributed to a CSV. The same browser flaws that nation-state actors and financially motivated groups exploit today begin their lifecycle in many cases as commercial surveillance capabilities.
Mobile operating system zero-days rose to 15 in 2025, up from 9 in 2024. GTIG observed that in many mobile exploitation cases, three or more flaws were chained to achieve a single goal — a direct consequence of iOS and Android security hardening raising the cost of exploitation without eliminating it.
2025 zero-days by vendor: Microsoft led with 25, followed by Google with 11 and Apple with 8. For CSVs, Apple and Google platforms are where high-value surveillance targets are most reachable — the same surface nation-state actors have increasingly abandoned in favor of edge devices.
Policy Response and Its Limits
The regulatory and policy environment around commercial surveillance vendors has developed significantly since 2023, but the gap between stated intent and measurable impact on vendor operations remains large.
The Pall Mall Process — a multi-stakeholder initiative jointly launched by France and the United Kingdom in February 2024 — produced its first major output at a Paris conference on April 3–4, 2025: a Code of Practice for States, initially backed by 25 states and later joined by the United States in May 2025. The Code is structured around four pillars — accountability, precision, oversight, and transparency — and commits signatory states to voluntary political commitments on the development, facilitation, purchase, transfer, and use of commercial cyber intrusion capabilities. It explicitly calls for governments to pursue financial restrictions, travel restrictions, or criminal charges against individuals and entities that misuse these tools.
What the Code does not do: It does not prohibit high-risk spyware procurement. It does not require governments to notify vendors when they purchase or exploit zero-day vulnerabilities. Legal scholar Fionnuala Ní Aoláin wrote in Just Security that the Code "stops short of agreeing to a hard legal standard by which States commit to preventing spyware abuses in their domestic law." The Pall Mall Process is now consulting on separate industry guidelines for 2026 covering due diligence, vendor vetting, and private-sector accountability.
US sanctions against Intellexa, applied by OFAC in March and September 2024 and targeting seven individuals and the corporate consortium's entities, have not visibly disrupted the vendor's operational capability. Recorded Future's Insikt Group confirmed continued active Predator infrastructure in more than a dozen countries as late as August 2025, after both waves of sanctions had been imposed. The Intellexa Leaks investigation, published December 2025, documented that Predator was still being actively delivered in Pakistan, and confirmed abuse cases previously identified in Greece and Egypt.
The NSO Group case provides the most developed example of what legal action against a CSV can achieve and where it falls short. In December 2024, Judge Phyllis Hamilton issued a summary judgment finding NSO Group liable for violating US and California anti-hacking laws — the first US court ruling of liability against a commercial spyware vendor. NSO had repeatedly failed to comply with court orders to produce Pegasus source code. A separate jury trial on damages followed in May 2025, with the jury awarding $167.25 million in punitive damages and $444,719 in compensatory damages. The punitive award was subsequently reduced by the court to approximately $4 million. The case established a legal pathway for holding CSVs accountable through civil litigation but did not disrupt the broader market; Intellexa and other vendors continued operating throughout the entire litigation period.
Why the market persists: Legitimate government demand for surveillance capability, the absence of agreed international export controls, and the opacity of broker and secondary markets that distribute exploits all sustain the structural conditions that make this industry viable. None of these conditions has been substantially altered by the policy interventions to date.
Key Takeaways
-
CSVs now lead zero-day exploitation by attributed volume.
For the first time since tracking began, GTIG attributed more zero-day exploitation in 2025 to commercial surveillance vendors (18, including likely attributions) than to state-sponsored espionage groups (15). The market is expanding, not contracting, despite sanctions, legal actions, and public exposure. The GTIG report title — "Look What You Made Us Patch" — reflects the direct consequence for platform vendors. -
CSV tooling is a complete operational stack — not just an exploit.
Reconnaissance frameworks, delivery infrastructure (including named systems like Intellexa's Aladdin), implant capabilities, C2 relays, and evasion logic are all bundled. Defenders need visibility across all of these layers. The PREYHUNTER stager's anti-analysis error code taxonomy shows that the same engineering investment that goes into exploit development goes into detecting researchers. -
Exploit proliferation is a structural risk, not an edge case.
Coruna moved from a targeted commercial surveillance operation to a mass-scale iOS cryptocurrency theft campaign within a year. DarkSword emerged on the secondary market within months and appeared on GitHub. iVerify described this as the first observed mass exploitation of iOS devices by a criminal group using nation-state-grade tools. -
Detection tooling exists but has meaningful limits.
MVT and iVerify provide real forensic capability for detecting known CSV implants, but both are bounded by IOC coverage. Predator's watcher module actively monitors for the very tools used in forensic analysis. Negative detection results should be treated with appropriate uncertainty, particularly for high-risk individuals. -
Update and enable Lockdown Mode — the defenses that work are documented.
Browser zero-days fell to 8 in 2025 — a historic low attributable at least in part to hardening. Both Coruna and DarkSword abort on Lockdown Mode-enabled devices and are defeated by current iOS versions. Patch velocity directly reduces the window of exposure for these specific attack classes. For Coruna: iOS 17.3 or later. For DarkSword: latest iOS release.